How To Assign Application Impersonation using PowerShell

Learn how to enable Application Impersonation in your organization's Microsoft Exchange environment using PowerShell

Why is Application Impersonation needed?

Some parts of the AskCody platform like Services and Displays with advanced features enabled require an Exchange service account with application impersonation to function correctly.

Application Impersonation is used to access appointments and monitor room calendars for changes; delegated access is not sufficient.

This article will guide you through the process of assigning application impersonation to the service account using the Office 365 Admin Management Console or Remote Windows Powershell. 

Assigning the application impersonation role in Exchange 2010, 2013 or Exchange Online (Office 365) using Remote Windows PowerShell

To assign the application impersonation role, you must first connect to Exchange using Remote Windows Power- Shell. The steps to do this depend on your version of Exchange.

For Exchange Online (Office 365), execute the following commands in PowerShell: 

$Credentials = Get-Credential 
Import-Module MSOnline
Connect-MsolService -Credential $Credentials 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri "" -Authentication Basic -Credential $Credentials –AllowRedirection
Set-ExecutionPolicy RemoteSigned
Import-PSSession $Session 

You will be asked to supply valid Office 365 credentials.

For Exchange 2010 and 2013, execute the following commands in PowerShell, where CAS FQDN is the fully qualified domain name of an Exchange 2010 or 2013 Client Access Server: 

$Credentials = Get-Credential 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange –ConnectionUri "https://<CAS FQDN>/PowerShell/" -Authentication Kerberos -Credential $Credentials 
Set-ExecutionPolicy RemoteSigned 
Import-PSSession $Session 

You will be asked to supply valid Exchange credentials.
If you have not already created an AskCody service account, do so by executing the following commands, where <UserPrincipalName> and <Password> are the username and password for the account: 

New-MSolUser -DisplayName "Service Account for AskCody" –UserPrincipalName <UserPrincipalName> -Password <Password> -PasswordNeverExpires $true 

Then create a new role group, where <GroupName> is the name of the group and <UserPrincipalName> is the username of the AskCody service account: 

New-RoleGroup -Name "<GroupName>" -Roles ApplicationImpersonation -Members "<UserPrincipalName>" 

You can now disconnect the Remote PowerShell session: 

Remove-PSSession $Session 

Finally, login using the service account to ensure that it is configured correctly. 

Learn More

Go to Office Dev Center to learn more about using apps for Outlook for your organization

(The link above will redirect you to Microsoft Dev Center)


Despite the continued efforts of AskCody to ensure that the information in this document is as complete and up-to-date as possible, AskCody cannot be held accountable for the correctness and/or completeness and/or specific applicability of the published and/or requested information in this document. AskCody shall not be liable for any direct, indirect, incidental, special, or consequential damages, lost profits, or business interruption arising out of the use of this document. The extraction and use of information from this document remain at all times completely within the user's own risk.